The Vultur trojan steals financial institution credentials but asks for permissions to do much additional harm down the line.
Immediately after remaining readily available for additional than two weeks, a malicious two-factor authentication (2FA) application has been taken off from Google Play — but not just before it was downloaded far more than 10,000 occasions. The app, which is completely functional as a 2FA authenticator, arrives loaded with the Vultur stealer malware that targets and swoops down on financial info.
End users with the malicious software, straightforwardly termed “2FA Authenticator,” are suggested by researchers at Pradeo to delete it from their machine quickly given that they nonetheless keep on being at risk — both from banking-login theft and other attacks built attainable by the app’s extensive overpermissions.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The menace actors made an operational and convincing application to disguise the malware dropper, making use of open-supply Aegis authentication code injected with destructive include-ons. That served it unfold through Google Engage in undetected, according to a Pradeo report launched on Thursday.
“As a outcome, the application is efficiently disguised as an authentication resource, which guarantees it maintains a reduced profile,” the report additional.
Vultur Banking Trojan Gobbles Down Permissions
When downloaded, the app installs Vultur banking trojan, which steals money and banking data on the compromised system — but can do much more.
To start with detected by analysts at ThreatFabric very last March, the Vultur distant obtain trojan (RAT) malware was the to start with of its variety observed to use keylogging and display recording as its main tactic for banking-info theft, enabling the group to automate the approach of harvesting credentials and scale.
“The actors chose to steer away from the popular HTML overlay strategy we typically see in other Android banking trojans: this solution ordinarily demands additional time and work from the actors in purchase to steal relevant data from the consumer. Instead, they selected to merely file what is proven on the display, efficiently obtaining the very same stop final result,” ThreatFabric reported at the time.
The rip-off 2FA authenticator also asks for system permissions further than what was disclosed in the Google Participate in profile, the Pradeo workforce reported.
Those sneaky, elevated privileges allow for the attackers to perform many capabilities outside of the common banking-trojan fare, such as: Accessing user area details, so attacks can be targeted at unique locations disabling the product lock and password security downloading 3rd-party purposes and getting more than handle of the unit, even if the app is shut down, the report defined.
Pradeo uncovered another soiled trick the destructive 2FA pulled by grabbing the Technique_Notify_WINDOW permission, which provides the app the means to modify other cell apps’ interfaces. As Google itself defined, “Very couple apps ought to use this authorization these windows are intended for process-level conversation with the user.”
Once the gadget is thoroughly compromised, the app installs Vultur, “an superior and fairly new type of malware that generally targets on the net banking interface to steal users’ credentials and other critical economical details,” the report reported.
The staff at Pradeo documented that even though the researchers submitted their disclosure to Google Play, nevertheless the destructive 2FA Authenticator app loaded with the banking trojan remained offered for 15 days.
Check out out our free upcoming reside and on-demand from customers on the internet town halls – exclusive, dynamic conversations with cybersecurity gurus and the Threatpost local community.
Some sections of this write-up are sourced from:
threatpost.com